How to enable support for TLS 1.2 and 1.3, and disable support for TLS 1.0 in Linux server


TLS Version 1.0 Protocol Detection

The TLS Version 1.0 Protocol Detection vulnerability is a security flaw in the TLS 1.0 protocol that allows an attacker to downgrade a secure connection to an insecure one. This can be done by sending a specially crafted message that the server will interpret as a request for TLS 1.0. Once the connection is downgraded, the attacker can exploit other vulnerabilities in TLS 1.0 to steal sensitive data or take control of the system.

Here are some of the attacks that can be exploited by the TLS Version 1.0 Protocol Detection vulnerability:

  • POODLE (Padding Oracle On Downgraded Legacy Encryption)
  • BEAST (Browser Exploit Against SSL/TLS)
  • CRIME (Compression Ratio Info-leak Made Easy)
  • FREAK (Factoring Attack on RSA-EXPORT Keys)
  • LOGJAM (Diffie-Hellman Key Exchange Weakness)

These attacks can be used to steal sensitive data. Moreover, they can also be used to take control of the system and perform other malicious actions. If you are concerned about the security of your web server, it is important to disable TLS 1.0 and use a more secure version of the protocol. You should also make sure that your server is up to date with the latest security patches.


Configuring Protocols

TLS plays a vital role in the implementation stack. TLS is a critical security protocol that is used to encrypt communications between clients and servers. TLS 1.2 and TLS 1.3 are the two latest versions of the Transport Layer Security (TLS) protocol and offer many advantages over their previous versions. TLS 1.2 is the most widely used version of the TLS protocol, but TLS 1.3 is gaining popularity. 
It has a dramatic increase in performance compared to its predecessor 1.2. Its speed and security capabilities made it mandatory to use in today’s world. Its main function of it is to provide an encrypted channel between the client (the web browser) and the server (the web server) on a public platform like the Internet. To set the secure encrypted channel, it is required to configure the TLS protocol at both ends.

It’s important to learn the version of the webserver which supports TLS 1.3 before heading towards enabling TLS 1.3 on popular web servers.
            Apachev2.4.38 or above. 
            Nginxv1.13 and above.     
            MySQL: 8.0.18 and above. 


1. Locate your server config file


After locating the server configuration file, you can open it using a text editor. Then, you should be able to see and insert the following line into the configuration file.


Apache/etc/apache2/apache2.conf






Nginx/etc/nginx/nginx.conf


2. Once you have found the server config file, you can open it with a text editor to view and add the following line to the configuration file.

# intermediate configuration
SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
Here, the term 'all' signifies enabling all versions of TLS/SSL protocols. The '-' symbol denotes the instruction to deactivate the mentioned protocols.'-SSLv3 -TLSv1 -TLSv1.1' indicates the action of disabling support for specific protocols, namely SSLV3, TLS 1.1 and TLS 1.0.



REFERENCES

[1] https://www.tenable.com/plugins/nessus/104743

[2] https://thesecmaster.com/how-to-disable-tls-1-0-and-tls-1-1-on-windows-server/

[3] https://learn.microsoft.com/en-us/security/engineering/solving-tls1-problem]






0 Comments